CVE-2025-27363: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write vulnerability (CVE-2025-27363) has been identified in FreeType versions 2.13.0 and below. The vulnerability was discovered in March 2025 and affects the font rendering library's handling of TrueType GX and variable font files. This high-severity vulnerability, with a CVSS score of 8.1, impacts various operating systems and software platforms that use FreeType, including GNU/Linux, FreeBSD, NetBSD, ChromeOS, ReactOS, Android, Tizen, iOS, and browser engines like Chromium, WebKit, Gecko, and Goanna (Hacker News).

The vulnerability stems from improper type handling where the code assigns a signed short value to an unsigned long and then adds a static value, causing an integer wraparound. This results in the allocation of an undersized heap buffer. Subsequently, the code writes up to six signed long integers out of bounds relative to this buffer. The vulnerability specifically occurs when parsing font subglyph structures related to TrueType GX and variable font files, requiring a short integer overflow with a limit value of 0xFFFD - 0xFFFF (OSS Security).

The vulnerability can lead to arbitrary code execution when parsing malicious font files. Given FreeType's widespread use in numerous operating systems and software platforms, including major browsers and mobile operating systems, the potential impact is significant. The situation is particularly concerning as the vulnerability may have been exploited in the wild (Security Online).

Users and administrators are advised to update to FreeType versions newer than 2.13.0, with version 2.13.3 confirmed as not vulnerable. For systems where immediate updating is not possible, several Linux distributions are working on backported fixes. The fix involves multiple commits that address the signed/unsigned integer handling and memory allocation issues. Mozilla has already updated their bundled FreeType to version 2.13.3 in Firefox (OSS Security).

The vulnerability has garnered significant attention from the security community, with Meta (formerly Facebook) issuing a security advisory and various Linux distributions actively working on patches. Mozilla has responded quickly by updating their bundled version of FreeType in Firefox, demonstrating the industry's swift response to the threat (Hacker News).